GraphQL Server Security Best Practices

Transcript

1. ⚡ A lightning talk by Robert Saunders ⚡ GraphQL Server

   Security Best Practices

2. • Authentication • Authorization • IDOR Attacks • DoS Attacks

   • Side-channel Attacks Agenda

3. Authentication

4. Authentication is not the same as authorization.

5. BAD BETTER

6. Perform authentication outside of GraphQL layer. Takeaway 1

7. Authorization

8. Field Level Access Checks

9. None

10. Type Level Access Checks

11. Have authorization in the schema per type. Takeaway 2

12. IDOR Attacks (Insecure Direct Object Reference)

13. Relay Global Object Identification Spec • Recommends that GraphQL schemas

    provide a standard way to fetch objects by globally-unique IDs. • Enables consistent object caching (on both the client and server) and re- fetching by popular GraphQL client- side libraries, via the node field.
14. None
15. None
16. None
17. None

18. Scope operations down to what the authenticated viewer should actually

    be able to see. Takeaway 3

19. DoS Attacks (Denial of Service)

20. - Wikipedia “A denial-of-service attack is a cyber-attack in which

    the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connected to the Internet.”

21. Max Query String Length

22. None

23. Max Query Complexity/Depth

24. GraphQL requests are hard to predict the cost of, thus

    setting constraints is a must. Takeaway 4

25. Side-channel Attacks

26. - " “Side-channel attacks, as they relate to public APIs

    usually come down to attackers finding inventive ways to make revealing inferences about data they cannot directly obtain, due to an API’s otherwise well-functioning authorization layers. These attacks can provide attackers insights into your and your customers' businesses.”
27. None

28. Where possible, prevent giving clues to data that the user

    does not have access to. Takeaway 5

29. 1. Perform authentication outside of GraphQL layer. 2. Have authorization

    in the schema per type. 3. Scope operations down to what the authenticated viewer should actually be able to see. 4. GraphQL requests are hard to predict the cost of, thus setting constraints is a must. 5. Where possible, prevent giving clues to data that the user does not have access to. Recap:

30. Thanks!